{{- if semverCompare ">= 1.26" .Values.global.discovery.kubernetesVersion }}
{{- $policyName := "d8-multitenancy-manager" }}
---
{{- if semverCompare ">= 1.28" .Values.global.discovery.kubernetesVersion }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1alpha1
{{- end }}
kind: ValidatingAdmissionPolicy
metadata:
  name: {{ $policyName }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "multitenancy-manager") ) | nindent 2 }}
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups:   ["*"]
        apiVersions: ["*"]
        operations:  ["UPDATE", "DELETE"]
        resources:   ["*"]
        scope: "*"
  validations:
    - expression: 'request.userInfo.username == "system:serviceaccount:d8-system:deckhouse"'
      messageExpression: "'This resource is managed by ' + string(object.metadata.namespace) + ' Project. Manual modification is forbidden.'"
---
{{- if semverCompare ">= 1.28" .Values.global.discovery.kubernetesVersion }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1alpha1
{{- end }}
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: {{ $policyName }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "multitenancy-manager") ) | nindent 2 }}
spec:
  policyName: {{ $policyName }}
  validationActions: [Deny, Audit]
  matchResources:
    namespaceSelector:
      matchLabels:
        heritage: multitenancy-manager
    objectSelector:
      matchLabels:
        heritage: multitenancy-manager
{{- end }}
